- which versions are you using SonarQube-enterprise 10.6.0
- how is SonarQube deployed: Docker
- what are you trying to achieve: Rotate tokens with admin rights - problem with revoking
- what have you tried so far to achieve this: I tried running calls to Web API
[ api/user_tokens/revoke]with basic auth(admin, password)and with an adminUSER_TOKEN, both cases silently fail and throwDEBUG web[f4a933f6-4f0a-4a63-80b5-fac3702e4811][auth.event] login failure [cause|Wrong CSFR in request][method|JWT][provider|LOCAL|local][IP|]with 401.
This makes programmatic management of tokens problematic.
Since SonarQube doesn’t provide OIDC-based short lived tokens to initiate scans per project, I was considering creating a PROJECT_ANALYSIS_TOKEN for each project and store them as repository secrets to be referenced in CI/CD, and apparently it would have been a costly mistake to clean up, since I won’t be able to revoke them with a script. This way, I have to trust my users to manage their tokens, or support them from UI, which is something I want to automate away.
If I don’t want to use a GLOBAL_ANALYSIS_TOKEN, what are my options from this point onwards?